The Cost Of Fixing An Application Vulnerability

The cleanup cost for fixing a bug in a homegrown Web application ranges anywhere from $400 to $4,000 to repair, depending on the vulnerability and the way it’s fixed.

Security experts traditionally have been hesitant to calculate the actual cost associated with bug fixes because there are so many variables, including the severity of the vulnerability, differences in man-hour rates, and the makeup of the actual fix.

But with the call for more secure coding ringing louder all the time, enterprises are faced with looking more closely at how much they must spend to fix holes in their applications. Jeremiah Grossman, CTO of WhiteHat Security, recently conducted an informal poll about the costs to enterprises for fixing bugs in their Web applications. He went with a relatively conservative estimate, calculating that it takes about 40 man-hours at $100 per hour to fix one vulnerability in a Website, or $4,000. And given that WhiteHat finds an average of seven vulnerabilities per Website, it comes out to about $28,000 to remediate a Website.

I think that fixing vulnerability without looking at the whole picture is a common mistake there should be a complete vulnerability management process in place in order to mitigate the risk from getting hacked. The Common Vulnerability Scoring System (CVSS) brings a various vulnerability properties, such as priority, exploitability and impact. It provides a way to score vulnerability so it can inform about the severity of the hole however it still needs to be enhanced with business-value and threat data.
Also we should be prepared for the zero-day vulnerability by including a heavily built amount of hardening and involving a careful network and host security monitoring to make us aware of what’s happening.